net: tls: fix returned read length with async decrypt

bmastbergen · bmastbergen · commit c29100a7e929 · 2025-11-05T12:07:55.000-05:00
jira VULN-136507 cve-pre CVE-2025-39682 commit-author Jakub Kicinski <kuba@kernel.org> commit ac437a5 We double count async, non-zc rx data. The previous fix was lucky because if we fully zc async_copy_bytes is 0 so we add 0. Decrypted already has all the bytes we handled, in all cases. We don't have to adjust anything, delete the erroneous line. Fixes: 4d42cd6 ("tls: rx: fix return value for async crypto") Co-developed-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Reviewed-by: Simon Horman <horms@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit ac437a5) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
@@ -2111,7 +2111,6 @@ int tls_sw_recvmsg(struct sock *sk,
 		else
 			err = process_rx_list(ctx, msg, &control, 0,
 					      async_copy_bytes, is_peek);
-		decrypted += max(err, 0);
 	}
 
 	copied += decrypted;

Original file line number	Diff line number	Diff line change
`@@ -2111,7 +2111,6 @@ int tls_sw_recvmsg(struct sock *sk,`
`2111`	`2111`	`else`
`2112`	`2112`	`err = process_rx_list(ctx, msg, &control, 0,`
`2113`	`2113`	`async_copy_bytes, is_peek);`
`2114`		`- decrypted += max(err, 0);`
`2115`	`2114`	`}`
`2116`	`2115`
`2117`	`2116`	`copied += decrypted;`